cvedb.io
CVE-2022-31098
CRITICAL · CVSS 9
EPSS exploitation probability: 0%
Published 2022-06-27T22:15:09.180 · Last modified 2026-06-17T04:44:47.577

Summary

Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered Kubernetes clusters, including the service account tokens in plain text from Weave GitOps's pod logs on the management cluster. An unauthorized remote attacker can also view these sensitive configurations from external log storage if enabled by the management cluster. This vulnerability is due to the client factory dumping cluster configurations and their service account tokens when the cluster manager tries to connect to an API server of a registered cluster, and a connection error occurs.

Affected products

weave — weave_gitops

Does this affect you?

Add your gear to cvedb and we'll alert you only when weave ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.